Configure Replication using the Vault CLI

HashiCorp Vault’s Disaster Recovery (DR) replication ensures high availability by maintaining a standby cluster that can take over in case of a primary failure. This guide shows you how to configure DR replication using the Vault CLI in Vault Enterprise.

Prerequisites

• Vault Enterprise license
• Two Vault clusters (Primary and Secondary)
• Network connectivity on port 8200 between clusters
• Vault CLI configured (VAULT_ADDR and token)

[!note] DR replication is an enterprise-only feature. Verify your Vault version supports DR replication before proceeding.

Step 1: Enable DR on the Primary Cluster

On the primary Vault server, run:

vault write -f sys/replication/dr/primary/enable

Step 2: Generate the Secondary Token

Still on the primary cluster, generate a token for the secondary:

vault write sys/replication/dr/primary/secondary-token id="us-east2-dr"

• id: A meaningful identifier (e.g., region or datacenter).
• The command returns a token to use in Step 3.

[!warning] Keep the secondary token secret—avoid committing it to code repositories or logs.

Step 3: Enable DR on the Secondary Cluster

On the secondary Vault server, use the token from Step 2:

vault write sys/replication/dr/secondary/enable token="s.XXXXXXXXXXXXXX"

Example Workflow

# On Primary Cluster
$ vault write -f sys/replication/dr/primary/enable
Success! DR replication primary enabled.

$ vault write sys/replication/dr/primary/secondary-token id="us-east2-dr"
Key    Value
---    -----
token  s.XXXXXXXXXXXXXX

# On Secondary Cluster
$ vault write sys/replication/dr/secondary/enable token="s.XXXXXXXXXXXXXX"
Success! DR replication secondary enabled.

Troubleshooting

[!note] After setup, the secondary cluster continuously receives data. In a primary outage, promote the secondary to minimize downtime.

Links and References

• Vault DR Replication Documentation
• Vault CLI Commands
• Vault Networking Guide